JHAS Rating Approach and Assessment of SW Vulnerabilities—All ITSEFs Will Become Hackers (S11d)
We start from a question: How do we rate overall attack resistance level of a solution which is subjected to software exploitation attacks? In this presentation, we discuss solutions currently available in the security community starting from JIL rating focused on HW attacks, as well as software centered standards, such as CVSS. We compare the categories used to rate a vulnerability such as required days, cost, expertise and provide pros/cons comparison. We review the role of software attack mitigation techniques in software rating. The first consideration is that exploit mitigations implemented in the product impact the difficulty of developing a working, weaponized exploit for such a solution. However, these are only effective when the overall vulnerability density is low enough. The second consideration for software rating is that the inherent flaw of manual code reviews is the difficulty in finding certain vulnerability classes without additional tool usage. An example that will be used to illustrate this is a race condition triggered use-after-frees across subsystems. We will also use public cases of exploitation – real world examples in order to discuss the difficulty of finding a vulnerability vs building a usable exploit, and whether the gravity of the finding can be estimated instead of creating a working exploit by an ITSEF.